Sunday, June 14, 2015

Android Copy and Paste - what risks?

This discussion may be relevant and useful to the process of evidence gathering, eDiscovery investigations and examiner procedures. Experienced examiners or investigators, new to industry or students that may be unaware of this subject matter.

The Android clipboard-based framework (Android Content Provider) enables copy and paste directly to and from the clipboard not only of simple text but also complex data structures, text and binary stream data and application assets.

Key Classes

- ClipboardManager
- ClipData
- ClipData.Item
- ClipDescription
- Uri
- ContentProvider
- Intent
This content provider enables the distribution of objects stored on the clipboard to be distributed among user applications subject to the permission granted for copying and pasting outside of a particular application.
The practical application for using clipboard copy and paste might be generally understood by smartphone users but the less experienced smartphone user may not know or realise that items stored on the clipboard may still reside in memory on particular smartphones long after the paste function was used. The same might also apply to examiners relying on extracted and harvested data from a DUT (device under test) using a particular examination tool of choice. The tool may not logically recover clipboard objects. Moreover, the copied data may not be distinguishable from a deleted SMS message when carving data from a physical extracted dump (JTAG/chip off), so checking the clipboard identifies is important.
Conduct a test on a smartphone of your choice. Tests run on a random number of makes/models not all were found to allow revisiting pasted data from previous copying, not all allowed data copied in one application (e.g. WhatsApp) to be made available to another (e.g. text messaging). Thus, manual examination might need to be applied during an examination process in order to determine during discovery any vital data (evidence) excluded during a tool’s recovery procedure.
As there are variances between makes/models it equally raises concerns of any missed opportunities to recover data during past examination.
DUT – Samsung GT-I9100P
Android OS version – Ice Cream Sandwich


The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.

The DUT responds with multiple choice of previously copied data that may be reused.  The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.

Note the format change of the date and the clock is out by one minute, when cross-referenced to the WhatsApp image below. Is this down conversion from one application to another?  Are there two clocks being used on the same smartphone? Was the SMS message created first and copied and pasted into WhatsApp? Or is it something else?

Further issues to be considered. Subject to the matter as mentioned above regarding permission granted to copy and paste outside of a particular application; Android in itself does not require any permission to be entered to write data to or read data from the clipboard. Consequently, this can leave a security loophole in place where an application requires a user to copy their credentials (passwords, PINs etc.) first before the user may make use of an application.
Moreover, the android.content.ClipboardManager.OnPrimaryClipChangedListener is an interface within Android SDK enabling listener call-back that is invoked each time a clipboard item changes. A change in password, PIN etc updated by a particular application could update the clipboard previously stored data. This could be problematical by causing a breach in security if malware were to be unintentionally installed to the smartphone and then credentials leaked to an outside source. The smartphone security for copy and paste therefore can only be as good as the permission granted within the applications being installed and used.

Observations. When making analysis of security an examiner/investigator simply referring to the latest makes/models of smartphones or apps on the market may well be flawed in using that analytical approach. There are a considerable number of handsets out there which are in use on a day-to-day basis for work and personal activity. These can be e.g. 5yrs to 10yrs old. Operators are currently offering an alternative to subsidised handsets by offering SIM ONLY contracts. The smartphone won’t be updated. Companies may well fail in their fiduciary responsibilities and duty of care at board level owed to the company to offload natural company expenditure by avoiding providing communication devices to company employees. To foster the notion to employees to BYOD (bring your own device) the employee is in fact playing a part in subsidising a company’s communications system and therefore its security; retains the opportunity for security loopholes to be created by employers assuming that smartphone users know everything about their smartphone, which is a fallacy.

No comments: